Identified by mobile security company TrustGo — which named it ‘MMarketPay.A’ — the malware can order content from China Mobile’s app store, and TrustGo found evidence that it has already infected content in the following third party app stores: nDuoa, GFan, AppChina, LIQU, ANFONE, Soft.3g.cn, TalkPhone, 159.com and AZ4SD.
Essentially, users that download infected apps from these stores are at risk of accumulating bills from Mobile Market (M-Market), the official app store run by 660 million subscriber-strong China Mobile. Once it makes its way to a device, MMarketPay.A can bypass the SMS security step used by the world’s largest operator to log-in, download content and place orders without the knowledge of unsuspecting mobile phone owners.
The TrustGo team explains how the regular M-Market payment system works, and how the virus can hijack it:
Customers login at M-Market website (http://mm.10086.cn/).
No login required if f you are using CMWAP as Access Point. M-Market will send a verification code to you via SMS if customer purchased paid apps or contents. Customers receive the verification code and input it to M-Market for verification.
Once the verification completed, the market will download apps automatically. China Mobile will add this order in customers’ phone bill.
[The virus] MMarketPay.A can place orders via M-Market payment system automatically:
Changes the APN to CMWAP, so that it can login MMarket automatically.
Finds paid application and simulates the click action in background.
Intercept the received SMS messages and collect verification code sent by M-Market. If CAPTCHA image is invoked, it will post the image to remote server for analyzing the verification code.
Post the verification code to M-Market website.
Download the application and customers get charged.
M-Market also includes premium paid-for video content, which the virus is able to search, play and download without the knowledge of device owners.
This isn’t the first Android-targeting virus to have emerged in China and, as recently as January, a similar bill-racking virus called ‘MSO.JPApps’ began to spread outside of China following a warning from security firm NetQin.
MMarketPlay.A hasn’t made it to Google Play but the nature of China’s app ecosystem — which has hundreds of app stores that are popular with Android owners — is such that the virus has already become a significant threat simply by appearing in a large number of stores, and devices.
The fact that the stores are all located in China makes the chances of it spreading out of the country unlikely, but — with Android accounting for some 55 percent of all smartphones in China — it highlights the security pitfalls of the fragmented Android app space in China.
TrustGo recommend that mobile owners should only download content from “trusted app stores” and ensure that their device has a mobile security app that can scan for malware in real-time.
As you’d expect, the firm has its own suite of security products that perform that function, including its dedicated mobile security app.
“The ease and speed that malicious apps can be developed and distributed to unsuspecting users is one of the fastest growing security concerns,” said Xuyang Li, CEO of TrustGo. “We believe that TrustGo is the only security application that can detect and prevent threats like the Trojan!MMarketPay.A@Android through our patent pending Secure App Finder Engine.”
As of January, the M-Market store had more than 149 million registered users, who make 30 million downloads each month. Last year, the store’s revenue hit $3.6 million (23 million yuan) and December saw China Mobile announce plans to open the store to subscribers from other carriers in China.
Image via Shutterstock / Sebastian Kaulitzki